Channels

Services

MySQL allegedly hacked - via SQL injection

On a security mailing list over the weekend, an unknown party published details about the structure and content of databases on the website of database vendor MySQL. The information was apparently accessible via a security hole on the MySQL.com website.

The hacker says the vulnerability is a blind SQL injection problem. This is a worst case scenario for a web server because the flaw allows access to the entire database behind a public-facing website. SQL injections are possible when SQL commands can be embedded in user input so that Web servers pass them on to the database.

Blind SQL injection means that the result of the database operation is not displayed; in other words, the attacker has to work blindly. In such cases, hackers therefore often ask the database yes/no questions and link one of the answers to a time-consuming operation. Depending on how long it takes the resulting page to appear, they can then tell what the response to the query was.

Among other things, the data made public includes password hashes for database access, and some of the plain text passwords behind them have already popped up on the internet. Oracle, the database vendor that acquired MySQL when it bought Sun Microsystems in 2010, has yet to comment on the matter.